Efforts underway to reclaim $3 million in Bitcoin held by password manager

American engineer Joe Grand and his friend Bruno have made an exciting discovery regarding an older version of the RoboForm password manager. This loophole allowed them to recover a staggering $3 million worth of Bitcoin.

In a YouTube video released on May 28, Grand shared that he was approached by a European crypto owner named Michael in 2022. Michael sought Grand’s assistance in recovering his Bitcoin, which was trapped on his computer due to him losing access to his 20-character password, generated by RoboForm and stored in a TrueCrypt-encrypted file.

Grand and Bruno dedicated several months to reverse-engineering the specific version of RoboForm that Michael had used back in 2013 when he created the password for his Bitcoin wallet. Eventually, they discovered a flaw in one of RoboForm’s older versions. This flaw pertained to the software’s password generation process, which made the passwords predictable based on the computer’s date and time. Fortunately for Michael, his password was generated before RoboForm fixed this bug.

Investigative journalist Kim Zetter mentioned in a post that if any of RoboForm’s 6 million current users are still using passwords generated by versions prior to 2015, they may be vulnerable to having their passwords cracked in the same way. However, RoboForm has yet to make any public statements regarding this matter.

Armed with millions of passwords generated within the timeframe when Michael supposedly created his password, Grand and Bruno began the process of brute-forcing to find the one that would grant access to Michael’s wallet. After refining their approach, they successfully discovered the password, which was created on May 15, 2013, at 4:10:40 PM GMT. This unlocked Michael’s 43.6 BTC, which is currently valued at approximately $3 million.

Joe Grand, the founder of Grand Idea Studio, is an electrical engineer, inventor, and hardware hacker. He is well-known in the crypto community for his role in hacking a Trezor One wallet in 2022 to aid its owner in recovering $2 million worth of BTC. Grand, who is also known by his hacker handle “Kingpin,” has an illustrious career in hardware hacking and continues to provide consultation services to companies aiming to enhance their digital security.

Read more: Trezor X account compromised as hackers promote fake Solana token.